Right - by why not use something like an API gateway then?

API gateways are primarily used for HTTP traffic coming from clients external to your backend services eg. an iOS device (hence the term 'gateway' vs. 'mesh'). I don't think they support thrift or grpc (at least aws doesn't, not sure about other providers). https://aws.amazon.com/api-gateway/

Google cloud supports grpc on their api gateway: https://cloud.google.com/api-gateway/docs/grpc-overview

That can work, but it means you simply outsourced the problem to AWS. It's not a bad idea per se, but it means your service needs to talk, in some way, http.

You could use the service mesh thing from AWS, along with cognito jwts, for authenticatetion and authorization

You can easily self host your own proxy. I bet API gateway is just Nginx, Traefik or HAProxy under the hood anyway.